Defend and Protect Against Ransomware
August 16, 2019 by
Ransomware attacks can have devastating consequences for organizations. Downtime is often more detrimental than ransom costs. Recovery is expensive, and there is a significant cost in system disruption, emergency response, and reputation damage.
There is no silver bullet for protecting your organization from a ransomware attack; however there are steps you can take to improve your defenses and resilience. Here are some proactive steps that can minimize your risk of falling victim to a ransomware attack.
Ransomware Defense Tips
Cybersecurity Awareness Training: A vast majority of ransomware attacks start with a phishing email – where an unsuspecting employee clicks on a malicious link. One of the best defenses you can build is a workforce that understands the fundamentals of cybersecurity, so that they can make everyday choices to promote it. Providing employees with instructor-led cybersecurity awareness training annually will teach employees appropriate behaviors and give them a foundation for making good decisions.
Social Engineering Vulnerability Assessment: Track the success of your training programs and determine additional training needs with regular testing engagements. Social engineering assessments will identify and document successes and failures in user interaction with information systems, observance of confidentiality practices and procedures, as well as incident recognition, reporting, and response. You will get valuable data that can be incorporated into an ongoing security awareness program.
Your Processes and Policies
Patch Management: Some ransomware variants exploit unpatched operating systems and third-party software, and can even search the Internet for vulnerable systems. The best way to defend against this type of attack is to make sure your systems are up to date with patches.
Encryption: If you have systems on the Internet where users enter credentials, ensure the traffic is encrypted.
Multi-factor Authentication: Require multi-factor authentication for all remote access to sites where your users must login.
Principle of Least Privilege: Restricting administrative rights on endpoints can greatly reduce your attack surface because it limits what an attacker can do when they compromise someone without them. It's best practice to give users the minimum permissions they need to perform their work.
Backup Data: Implement a backup process that maintains current backups of all your important data. The backups should be “air-gapped” or stored on a locked-down vLAN. Test the restore process frequently.
Threat Detection / Alerting: In today’s threat environment, signature-based detection is not enough. You need to proactively hunt for threats on your network every day. A managed threat detection service that utilizes a threat hunting methodology, like Tyler Detect, is a reliable and cost-effective way to detect an incident before encryption occurs. Finding a partner that acts as an extension of your team can allow you to focus on your core competencies and still leverage all the cybersecurity advantages an in-house threat hunting team brings to the table for this critical functional responsibility.
IP Restriction: If you can block outbound traffic by GeoIP, and you have no business with hacker-havens such as Eastern Europe, Russia, etc. – block the traffic.
Software Restriction: Use software restriction and/or software “white listing” policies to block execution from \ProgramData and \Users directories.
Site Blocking: If you have a proxy, block “unrated” sites. This can go a long way to helping reduce your exposure.
Network Segmentation: Network segmentation can contain an infection by stopping the proliferation across your entire network. Segregate critical services via firewall segmentation and workstations using built-in personal firewalls. If components don’t require interaction or communication, don't allow them to. And those that do should be permitted to interact via restricted channels / ports / protocols only.
Of course, defensive strategies are not enough. You should also be prepared to respond should you be compromised. Download our Ransomware Incident Response Checklist to learn how.